Skip to content

Commit 2e4aad3

Browse files
dgulinobwdgulinobw
committed
PE-35472: dog - now using 'dst' in outbound rules
1 parent c171503 commit 2e4aad3

File tree

1 file changed

+48
-19
lines changed

1 file changed

+48
-19
lines changed

src/dog_iptables_ruleset.erl

Lines changed: 48 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -570,6 +570,7 @@ json_to_rule(
570570
CommentJson = get_comment(maps:get(<<"comment">>, Json)),
571571
Comment = get_comment_json(CommentJson),
572572
Active = get_active(maps:get(<<"active">>, Json)),
573+
SrcDst = get_src_or_dst(Direction, Symmetric),
573574
{RoleMap, ZoneMap} =
574575
case Version of
575576
<<"v4">> -> {Ipv4RoleMap, Ipv4ZoneMap};
@@ -597,7 +598,8 @@ json_to_rule(
597598
Comment,
598599
GroupType,
599600
ServiceName,
600-
IpsetName
601+
IpsetName,
602+
SrcDst
601603
);
602604
%TODO conversion between ipv4 and ipv6 masks
603605
connlimit ->
@@ -617,7 +619,8 @@ json_to_rule(
617619
Comment,
618620
ServiceName,
619621
IpsetName,
620-
ConnLimitString
622+
ConnLimitString,
623+
SrcDst
621624
);
622625
recent ->
623626
RecentName = maps:get(
@@ -640,7 +643,8 @@ json_to_rule(
640643
Comment,
641644
ServiceName,
642645
IpsetName,
643-
RecentString
646+
RecentString,
647+
SrcDst
644648
),
645649
RecentSetString = get_recent_set(RecentName),
646650
RecentSetRule = generate_recent_rule_set_set(
@@ -653,7 +657,8 @@ json_to_rule(
653657
Comment,
654658
ServiceName,
655659
IpsetName,
656-
RecentSetString
660+
RecentSetString,
661+
SrcDst
657662
),
658663
io_lib:format("~s~n~s", [RecentRule, RecentSetRule])
659664
end;
@@ -837,25 +842,27 @@ generate_basic_rule_set(
837842
Comment,
838843
_GroupType,
839844
ServiceName,
840-
IpsetName
845+
IpsetName,
846+
SrcDst
841847
) ->
842848
case {IpsetName, ServiceName} of
843849
{<<"ANY">>, <<"ANY">>} ->
844850
io_lib:format("-A ~s~s~s~s -j ~s~n", [Chain, Interface, States, Comment, Action]);
845851
{_, <<"ANY">>} ->
846-
io_lib:format("-A ~s~s -m set --match-set ~s src~s~s -j ~s~n", [
847-
Chain, Interface, IpsetName, States, Comment, Action
852+
io_lib:format("-A ~s~s -m set --match-set ~s ~s~s~s -j ~s~n", [
853+
Chain, Interface, IpsetName, SrcDst, States, Comment, Action
848854
]);
849855
{<<"ANY">>, _} ->
850856
io_lib:format("-A ~s~s~s~s ~s~s~s -j ~s~n", [
851857
Chain, Interface, ProtocolString, PortParameter, Ports, States, Comment, Action
852858
]);
853859
{_, _} ->
854-
io_lib:format("-A ~s~s~s -m set --match-set ~s src~s ~s~s~s -j ~s~n", [
860+
io_lib:format("-A ~s~s~s -m set --match-set ~s ~s~s ~s~s~s -j ~s~n", [
855861
Chain,
856862
Interface,
857863
ProtocolString,
858864
IpsetName,
865+
SrcDst,
859866
PortParameter,
860867
Ports,
861868
States,
@@ -876,18 +883,20 @@ generate_connlimit_rule_set(
876883
Comment,
877884
ServiceName,
878885
IpsetName,
879-
ConnLimitString
886+
ConnLimitString,
887+
SrcDst
880888
) ->
881889
case {IpsetName, ServiceName} of
882890
{<<"ANY">>, <<"ANY">>} ->
883891
io_lib:format("-A ~s~s~s~s~s -j ~s~n", [
884892
Chain, Interface, States, ConnLimitString, Comment, Action
885893
]);
886894
{_, <<"ANY">>} ->
887-
io_lib:format("-A ~s~s -m set --match-set ~s src~s~s~s -j ~s~n", [
895+
io_lib:format("-A ~s~s -m set --match-set ~s ~s~s~s~s -j ~s~n", [
888896
Chain,
889897
Interface,
890898
IpsetName,
899+
SrcDst,
891900
States,
892901
ConnLimitString,
893902
Comment,
@@ -906,11 +915,12 @@ generate_connlimit_rule_set(
906915
Action
907916
]);
908917
{_, _} ->
909-
io_lib:format("-A ~s~s~s -m set --match-set ~s src~s ~s~s~s~s -j ~s~n", [
918+
io_lib:format("-A ~s~s~s -m set --match-set ~s ~s~s ~s~s~s~s -j ~s~n", [
910919
Chain,
911920
Interface,
912921
ProtocolString,
913922
IpsetName,
923+
SrcDst,
914924
PortParameter,
915925
Ports,
916926
States,
@@ -934,16 +944,17 @@ generate_recent_rule_set(
934944
Comment,
935945
ServiceName,
936946
IpsetName,
937-
RecentString
947+
RecentString,
948+
SrcDst
938949
) ->
939950
case {IpsetName, ServiceName} of
940951
{<<"ANY">>, <<"ANY">>} ->
941952
io_lib:format("-A ~s~s~s~s~s -j ~s~n", [
942953
Chain, Interface, States, RecentString, Comment, Action
943954
]);
944955
{_, <<"ANY">>} ->
945-
io_lib:format("-A ~s~s -m set --match-set ~s src~s~s~s -j ~s~n", [
946-
Chain, Interface, IpsetName, States, RecentString, Comment, Action
956+
io_lib:format("-A ~s~s -m set --match-set ~s ~s~s~s~s -j ~s~n", [
957+
Chain, Interface, IpsetName, SrcDst, States, RecentString, Comment, Action
947958
]);
948959
{<<"ANY">>, _} ->
949960
io_lib:format("-A ~s~s~s~s ~s~s~s~s -j ~s~n", [
@@ -958,11 +969,12 @@ generate_recent_rule_set(
958969
Action
959970
]);
960971
{_, _} ->
961-
io_lib:format("-A ~s~s~s -m set --match-set ~s src~s ~s~s~s~s -j ~s~n", [
972+
io_lib:format("-A ~s~s~s -m set --match-set ~s ~s~s ~s~s~s~s -j ~s~n", [
962973
Chain,
963974
Interface,
964975
ProtocolString,
965976
IpsetName,
977+
SrcDst,
966978
PortParameter,
967979
Ports,
968980
States,
@@ -1000,14 +1012,15 @@ generate_recent_rule_set_set(
10001012
Comment,
10011013
ServiceName,
10021014
IpsetName,
1003-
RecentString
1015+
RecentString,
1016+
SrcDst
10041017
) ->
10051018
case {IpsetName, ServiceName} of
10061019
{<<"ANY">>, <<"ANY">>} ->
10071020
io_lib:format("-A ~s~s~s~s~s~n", [Chain, Interface, States, RecentString, Comment]);
10081021
{_, <<"ANY">>} ->
1009-
io_lib:format("-A ~s~s -m set --match-set ~s src~s~s~s~n", [
1010-
Chain, Interface, IpsetName, States, RecentString, Comment
1022+
io_lib:format("-A ~s~s -m set --match-set ~s ~s~s~s~s~n", [
1023+
Chain, Interface, IpsetName, SrcDst, States, RecentString, Comment
10111024
]);
10121025
{<<"ANY">>, _} ->
10131026
io_lib:format("-A ~s~s~s~s ~s~s~s~s~n", [
@@ -1021,11 +1034,12 @@ generate_recent_rule_set_set(
10211034
Comment
10221035
]);
10231036
{_, _} ->
1024-
io_lib:format("-A ~s~s~s -m set --match-set ~s src~s ~s~s~s~s~n", [
1037+
io_lib:format("-A ~s~s~s -m set --match-set ~s ~s~s ~s~s~s~s~n", [
10251038
Chain,
10261039
Interface,
10271040
ProtocolString,
10281041
IpsetName,
1042+
SrcDst,
10291043
PortParameter,
10301044
Ports,
10311045
States,
@@ -1106,6 +1120,21 @@ get_source_parameter(Direction) ->
11061120
outbound -> "-d"
11071121
end.
11081122

1123+
-spec get_src_or_dst(Direction :: atom(), Symmetric :: boolean()) -> iolist().
1124+
get_src_or_dst(Direction, Symmetric) ->
1125+
case Symmetric of
1126+
true ->
1127+
case Direction of
1128+
inbound -> "src";
1129+
outbound -> "src"
1130+
end;
1131+
false ->
1132+
case Direction of
1133+
inbound -> "src";
1134+
outbound -> "dst"
1135+
end
1136+
end.
1137+
11091138
-spec get_service_name(ServiceId :: binary(), ServiceIdMap :: map()) -> {error, atom()} | binary().
11101139
get_service_name(ServiceId, ServiceIdMap) ->
11111140
case maps:get(<<"name">>, maps:get(ServiceId, ServiceIdMap)) of

0 commit comments

Comments
 (0)